The instructions were uploaded midday on Thursday, hours after the Mac App Store made its debut. They instruct the user to download a free app and open up the package contents to access three files—one of which is the Mac App Store receipt for downloading a legitimate app.

Then, if the user can find a non-legit copy of a paid app (the example uses the popular game Angry Birds), he or she can then delete those three files from that app's package contents and replace them with the ones copied from the free app. After that, the pirated app should work as if it was actually purchased through the Mac App Store.

Indeed, it is a pretty straightforward—if not evil—hack. However, as noted by Daring Fireball, the trick doesn't work for all paid apps from the store. Developers who followed Apple's instructions for validating App Store receipts should be unaffected; it's only those who don't check at all, or don't do the right kind of check, that are finding themselves being taken advantage of.

It's a little disappointing that Apple would allow such a simple check to slip through the cracks on paid apps. Undoubtedly, we'll see those developers rush to fix up their apps and resubmit them to the store, but it seems that what's done is done when it comes to the current releases.

79 Reader Comments

Seems to me that if Apple told developers "this is how you verify that your app wasn't pirated" and the developer didn't do it, then they shouldn't be surprised when Apple's anti-piracy checks don't work?

I think its interesting that those checks aren't required. I guess it does show that they're willing to be a lot less rigid with what ends up in the store.

All of Apple's rules about app store approval are focused on usability, consistency or interface, and their own reputation as a business (i.e. no smut.) The app developer's own security isn't Apple's problem.

Curious omission, since the piracy hurts Apple, too. They probably thought it was better to get the store up fast, and with some well-known apps, then start out super-tight. Given the 1 million downloads from Day 1, they probably made the best tradeoff.

Not seeing how it's Apple's responsibility to make sure developers' apps can't be pirated, if they fail to follow Apple's own recommendations.

The problem was Apple's recommendations for how to do the receipt parsing were confusing and difficult to follow. As devs get more used to the Mac app store, they'll get better at implementing the security features.

Curious omission, since the piracy hurts Apple, too. They probably thought it was better to get the store up fast, and with some well-known apps, then start out super-tight. Given the 1 million downloads from Day 1, they probably made the best tradeoff.

Once again, this brings up the oft-cited fallacy that a company with many billions of dollars in revenue and income through hardware, cares enough about the few million dollars in revenue/income in software to worsen the HW where they make the billions from.

Apple made some atrocious decisions, IMO, in the iOS App Store, but most were caused largely because of a bad understanding of what hurts/helps users than nefarious designs.

Makes me like Apple a bit more. When it comes to things that matter to them they are control freaks. But they are no control freaks just to be in control. They told the developers what to do to secure their applications the developer doesn't do it? So its his loss if people pirate the apps.

Meh, piracy exists and will perpetually, get over it and worry about making the paying customers happy. Still, as anal as Apple is about App store approvals they should really have a check in there to make sure that their DRM system is working properly.

Yeah I really wish I could get a free download ticket for apps I already own. Would be doubly nice if they would let you link your account across devices so, for instance, I don't need to pay full price to get the iPad version of an iPhone app.

I think its interesting that those checks aren't required. I guess it does show that they're willing to be a lot less rigid with what ends up in the store.

All of Apple's rules about app store approval are focused on usability, consistency or interface, and their own reputation as a business (i.e. no smut.) The app developer's own security isn't Apple's problem.

Apple better believe it's their problem too. Perception is reality and if developers start to believe that the app store isn't secure against piracy then they won't use it.

Sure it's ultimately the developers fault, but standing on that principle isn't going to endear them to the developers they hope to attract.

I think its interesting that those checks aren't required. I guess it does show that they're willing to be a lot less rigid with what ends up in the store.

They have to be since they aren’t going to shut down the longstanding method for installing apps on Macs.

groovestar wrote:

Could this be used to have apps already owned from outside the App Store (which currently show up as "Installed") appear in the "Purchased" section and hence upgrade through the App Store?

Maybe in the future, but I doubt it. So far Apple is keeping their Mac App Store and the other ways to get apps on your Mac completely separate in the ways they get updated. I think this is a good thing as it allows devs to use different strategies for selling marketing their apps.

Why the hell is this the developers responsibility in the first place? There are plenty of ways to lock down the apps in a basic way (that at least prevents simple copy+paste "hacking") that should be implemented by Apple as part of the infrastructure. Developers on Steam and most other existing computer program stores aren't responsible for implementing the store's DRM correctly. Why did Apple decide to force the developers to implement Apple's DRM for them in the first place?

Why the hell is this the developers responsibility in the first place? There are plenty of ways to lock down the apps in a basic way (that at least prevents simple copy+paste "hacking") that should be implemented by Apple as part of the infrastructure. Developers on Steam and most other existing computer program stores aren't responsible for implementing the store's DRM correctly. Why did Apple decide to force the developers to implement Apple's DRM for them in the first place?

interesting, kinda cool the devs don't have to program with steam in mind at all or take any responsibility.they just need to send valve a retail copy i assume.

98% of the time, anti-piracy measures are required (forced) by the publisher, and the publishers responsibility. Every digital store I've seen or worked with has also been that case. At most, they require developers to implement a library they create and maintain, and require that for publishing.

Why the hell is this the developers responsibility in the first place? There are plenty of ways to lock down the apps in a basic way (that at least prevents simple copy+paste "hacking") that should be implemented by Apple as part of the infrastructure. Developers on Steam and most other existing computer program stores aren't responsible for implementing the store's DRM correctly. Why did Apple decide to force the developers to implement Apple's DRM for them in the first place?

interesting, kinda cool the devs don't have to program with steam in mind at all or take any responsibility.they just need to send valve a retail copy i assume.

The Steam DRM is just wrapped around the program. Steam runs a quick check and then the program is unlocked for it to run. Simple and effective.

OK. Wishful thinking (and unrealistic) I know, but still annoying that we just have to accept that people will always try to steal stuff if they can. How much simpler would it be for everyone if folks were just...honest.

Why the hell is this the developers responsibility in the first place?

Perhaps because its much easier for them to add a couple of API calls instead of wrapping a whole new layer of DRM around the whole program? I assume that they need to make some changes to their application anyway to add versioning updatability etc. Again its a question of incentives here. Its Apple's incentive that the platform works smoothly, that no performance is lost by unnecessary DRM and its pretty much in the interest of the developer to make sure that their apps cannot be pirated. Just because the App Store could wrap everything in additional layers of DRM and bloat it all up thus making it easier for the developer doesn't mean that its a good idea.

Why the hell is this the developers responsibility in the first place? There are plenty of ways to lock down the apps in a basic way (that at least prevents simple copy+paste "hacking") that should be implemented by Apple as part of the infrastructure. Developers on Steam and most other existing computer program stores aren't responsible for implementing the store's DRM correctly. Why did Apple decide to force the developers to implement Apple's DRM for them in the first place?

Actually, you're wrong. Modern Warfare 2 was exploited because they didn't implement the steam integrity checks properly, tons and tons of users were able to make free steam accounts and play until it was patched.

The developers of third party DRM can always mess up, anywhere, they are usually just strongly advised against doing so.

The App Store costs money you know. The store front, the software, the credit card transaction, the data storage, the bandwidth. Apple is carrying all of those costs so that the developer doesn't have to.

All of this is more expensive for third party developers to do by themselves.

Can you show where in Apple's quarterly statements they are making a significant profit from the iPhone App Store?

wjousts wrote:

I'll also add that piracy is Apple's problem because Apple take a cut of the app store sales. Less sales = less money for Apple = it's Apple's problem whether they like it or not.

Developers on Steam and most other existing computer program stores aren't responsible for implementing the store's DRM correctly. Why did Apple decide to force the developers to implement Apple's DRM for them in the first place?

interesting, kinda cool the devs don't have to program with steam in mind at all or take any responsibility.they just need to send valve a retail copy i assume.

Actually, Steam is very similar to the App Store in this case. Developers can choose how much they want to protect their games on Steam. Some just use it to distribute, and you can just browse around on disk and run their EXE directly. These tend to have little to no DRM in them. Other games are compiled against SteamWorks, and must be launched through Steam to gain the protections of the setup, and to integrate with the achievements and such. And yes, work has to be done on the developer side to check with the Steam network.

In either case, it's not just "send a retail copy to Valve." Developers are responsible for using the Steamworks SDK even to do a basic installer package with no DRM. Very similar to any publishing platform out there, the creator has to do the legwork to prepare it for the store it will be sold in.

Why the hell is this the developers responsibility in the first place? There are plenty of ways to lock down the apps in a basic way (that at least prevents simple copy+paste "hacking") that should be implemented by Apple as part of the infrastructure. Developers on Steam and most other existing computer program stores aren't responsible for implementing the store's DRM correctly. Why did Apple decide to force the developers to implement Apple's DRM for them in the first place?

Because their is a significant number that neither want security or restrictions in the code they distribute. So if you are not worked about people making copy's it is more things that may fail, additional overhead at run-time and/or more work in development/testing. Also many will roll their own security or use a third party for it.

The problem was Apple's recommendations for how to do the receipt parsing were confusing and difficult to follow.

The early versions of Apple's docs might have been less than stellar (they got much better later), but there were plenty of discussions on the dev forums, with some folks even posting cut-and-paste code to handle the difficult parts. Even the early docs stated, "if you don't do this, folks can pirate your app". Other than cutting corners, I don't see how one would have a reasonable excuse to implement it correctly.

Agree that this shouldn't be a developer responsibility to build DRM *into* the application: the DRM should be external to it.

Rather than library calls, Apple should instead provide a way for developers to repackage an application to run in a DRM sandbox environment. That way, the sandbox could be the same across Mac OS X, iPhone, iPod Touch, and iPad.

The App Store costs money you know. The store front, the software, the credit card transaction, the data storage, the bandwidth. Apple is carrying all of those costs so that the developer doesn't have to.

All of this is more expensive for third party developers to do by themselves.

Can you show where in Apple's quarterly statements they are making a significant profit from the iPhone App Store?

wjousts wrote:

I'll also add that piracy is Apple's problem because Apple take a cut of the app store sales. Less sales = less money for Apple = it's Apple's problem whether they like it or not.

Firstly, nice redirection. We're not talking about the iPhone App store so how the hell is that relevant? Secondly, if everybody is pirating software then Apple doesn't get anything back from their App store and they will surely shut it down. It's one thing if it doesn't make a profit, but otherwise supports the platform in less tangible ways, it's another if it brings in no revenue at all and, rather than supporting the platform and encouraging developers, it does the exact opposite.

Why is this being touted as a fault of the App Store? This is an individual developer issue. And how is this easier than just finding or generating a serial # for non App Store apps? Besides, the amount of exposure and legitimate buys far outweigh this small hole that will soon be patched up.

Why is this being touted as a fault of the App Store? This is an individual developer issue. And how is this easier than just finding or generating a serial # for non App Store apps? Besides, the amount of exposure and legitimate buys far outweigh this small hole that will soon be patched up.

because apple came up with a fail system that puts burden on the devs to use their system